VYPR

Tomcat Native

by Apache

Source repositories

CVEs (5)

  • CVE-2026-29145CriApr 9, 2026
    risk 0.52cvss 9.1epss 0.01

    CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through…

  • CVE-2018-8020HigJul 31, 2018
    risk 0.48cvss 7.4epss 0.04

    Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users…

  • CVE-2018-8019HigJul 31, 2018
    risk 0.48cvss 7.4epss 0.04

    When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked…

  • CVE-2017-15698MedJan 31, 2018
    risk 0.39cvss 5.9epss 0.04

    When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for…

  • CVE-2026-24734Feb 17, 2026
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate…